Bugzilla – Bug 1122729
VUL-0: CVE-2016-10739: glibc: getaddrinfo should fully parse IPv4 address strings
Last modified: 2024-05-13 14:35:02 UTC
In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. References: https://bugzilla.redhat.com/show_bug.cgi?id=1347549 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10739 http://www.cvedetails.com/cve/CVE-2016-10739/ https://sourceware.org/bugzilla/show_bug.cgi?id=20018
All the versions are affected. There is a fix at [1] which when applied should also include [2]. POC can be at [3] along with additional information regarding this bug. To exploit this bug, an attacker needs to take advantage also from CVE-2016-5699 which already been fixed. [1] https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=108bc4049f8ae82710aec26a92ffdb4b439c83fd [2] https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=6ca53a2453598804a2559a548a08424fca96434a [3] https://sourceware.org/bugzilla/show_bug.cgi?id=20018
SUSE-SU-2019:0903-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1100396,1122729,1130045 CVE References: CVE-2016-10739 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): glibc-2.26-13.19.1 SUSE Linux Enterprise Module for Development Tools 15 (src): glibc-2.26-13.19.1, glibc-utils-src-2.26-13.19.1 SUSE Linux Enterprise Module for Basesystem 15 (src): glibc-2.26-13.19.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1250-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1100396,1122729,1130045 CVE References: CVE-2016-10739 Sources used: openSUSE Leap 15.0 (src): glibc-2.26-lp150.11.17.1, glibc-testsuite-src-2.26-lp150.11.17.1, glibc-utils-src-2.26-lp150.11.17.1
SUSE-SU-2019:1102-1: An update that solves three vulnerabilities and has four fixes is now available. Category: security (moderate) Bug References: 1100396,1110661,1122729,1127223,1127308,1128574,1131994 CVE References: CVE-2009-5155,CVE-2016-10739,CVE-2019-9169 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): glibc-2.22-100.8.1 SUSE Linux Enterprise Server 12-SP4 (src): glibc-2.22-100.8.1 SUSE Linux Enterprise Desktop 12-SP4 (src): glibc-2.22-100.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0015-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1122729 CVE References: CVE-2016-10739 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP3-BCL (src): glibc-2.22-133.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): glibc-2.22-133.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
i think its done